Once upon a time the Malware, the main actor in the entire infection chain. A single file, once executed it was able to perform the tasks it was designed for, forcing the target machine into victim by taking control or simply execuritying desired (sometime priviledged) commands. In 2010, during my PhD studies, I was already observing a slow but certain change in this panorama. During that period Matt and I wrote for IEEE a paper title: “Multi-stage delivery of malware” (HERE) where we described how thrat actors were abusing mutistaging techniques to inoculate malicious and unwanted software.
Malware signature detectors use patterns of bytes, or variations of patterns of bytes, to detect malware attempting to enter a systems. This approach assumes the signatures are both or sufficient length to identify the malware, and to distinguish it from non-malware objects entering the system. We describe a technique that can increase the difficulty of both to an arbitrary degree. This technique can exploit an optimization that many anti-virus systems use to make inserting the malware simple; fortunately, this particular exploit is easy to detect, provided the optimization is not present. We describe some experiments to test the effectiveness of this technique in evading existing signature-based malware detectors.
Multi-stage delivery of malware – Abstract
Nowadays these thechinques are so used that we are facing multistage frameworks rather than Malware. I do prefer call them Malware delivery platforms. I am talking about EMOTET, TrickBot, QakBot and so on, those frameworks are not Malware anymore (even if they started as Malware), but are real and powerfull platforms able to deliver multiple Malware. Once the multiple Malware have been dropped and executed into a single or multiple targets, we are facing an implant. So, after 10 Years from such a paper how many platforms have been developed and how do they behave ?
Malware Delivery Platforms
In this post I’d like to fix on my meories the Malware Delivery Platforms in 2020. I believe those platforms are changing again and again, I bet we’ll see some new evolutions on the Malware infection chain panorama in early future so let’s write some simple notes on how things are working today. Please if you have more infos or if you want to make this post up-to-date, please contact me (from HERE), I will make updates and written thank you to every contributors.
Emotet
One of the most famous Malware Delivery Platforms. It is used to deliver (in 2020) Trickbot. Often involved in the multiple infection chain Emotet-Trickbot-Ruyk, developing one of the most spread Ransomware as a service in our recent history
TrickBot
One of the most sophisticated Malware Delivery Platforms. Often dropped and executed by Emotet (but not only) it’s famous to deliver Ryuk and Conti Ransomware.
BazarLoader
BazarLoader not such a spread delivery platform in 2020, used mainly to deliver Ryuk Ransomware and linked to TrickBot
QuakBot
Interesting new (if compared to Emotet) Malware delivery platform. In the past months it has been observed tight to MegaCortex
ProLock and Egregor
SDBBot
One of the most famous platform related to TA505. It’s actually a quite wired platform, quite simple if compared to the “mainland” but seen as entry point for Clopper
Dridex
A quite famous and ancient Banking Malware. It has got many upgrades during the years, nowadays it is mostly used as dropping platform mainly observed for launching BitPaymer and DoppelPaymer
Z-Loader
ZLoader is a wellknown Delivery platform, mostly used in Europe and US. It has been mostly observet for spreading Ryuk and Egregor.
BuerLoader
This is one of the latest entries in the Delivery Platforms landscaped. It is mostly seed to drop and execute Egregor and Ryuk Ransomware, while Sophos correlates BuerLoader Ryuk gang.
Trik
Nowadays is mostly spread in Japan and it’s a small and quite new Malware Delivery Platform. Todays known to drop and execute Avaddon.
Conclusion
This post is not about describing details on Malware Delivery Platforms (MDP), but it’s a simple way to freeze a state of the art as today (Decembre 2020) on MDP. This small post could be usefull for Cybersecurity Analysts and SOC operators which need to reconstruct the whole infection chain.
If you are aware on more platforms and you want to contribute, please reach me out and send commetns to me. I will update this post as soon as will receive your comments. It would be great to maintain this post up-to-date withing future platforms integrations.
